Cryptography Lecture 9: Key Distribution and Trust, Elliptic Curve Cryptography

Cryptography Lecture 9
Key distribution and trust, Elliptic curve cryptography

Key Management
• The first key in a new connection or

association is always delivered via a
courier
• Once you have a key, you can use

that to send new keys
• If Alice shares a key with Trent and

Trent shares a key with Bob, then
Alice and Bob can exchange a key
via Trent (provided they both trust
Trent)
Key distribution center
• If Alice shares a key with Trent and Trent shares a key with Bob,
then Alice and Bob can exchange a key via Trent (provided they
both trust Trent)
Trent
KAT , KBT
Alice, KAT Bob, KBT

both trust Trent)
Trent
KAT , KBT
)
B
A
||K
B
D
(I
T
E KA
1:
Alice, KAT Bob, KBT

both trust Trent)
Trent
KAT , KBT
) 2:
A
B E
K
||K B
T (I
B D
D
(I A|
T |K
KA A
1:E B)
Alice, KAT Bob, KBT

Key distribution center, key server
then Alice and Bob can receive a key from Trent (provided they
both trust Trent)
Trent
KAT , KBT
B)
AT
(ID
K
E
1:
Alice, KAT Bob, KBT

Key distribution center, key server
then Alice and Bob can receive a key from Trent (provided they
both trust Trent)
Trent
KAT , KBT
2:
E
B)
K
(ID
) B
T (I
AB D
AT
|| K A|
K
|K
E
B
(ID
1:
A
B)
T
A
EK
2:
Alice, KAT Bob, KBT
Key distribution center, Blom key pre-distribution
and Alice and Bob each have a public id rA , rB , they can recieve
key-generation info from Trent (provided they both trust Trent)
Trent
KAT , KBT , a, b, c
aU = a + brU , bU = b + crU
) E
A K
,b BT
(a
(a A B ,b
T B)
E KA
KAB = aA + bA rB
Alice, KAT , rA Bob, KBT , rB
= aB + bB rA
Key distribution center, Station-To-Station (STS) protocol
• What about Diffie-Hellman key exchange?
Trent
KAT , KBT
αa mod p
Alice, KAT Bob, KBT

αb mod p
• What about Diffie-Hellman key exchange?

• Eve can do an “intruder-in-the-middle”
Trent
KAT , KBT
αa mod p αe mod p
Alice, KAT Eve Bob, KBT
e αb mod p
α mod p
then Alice and Bob can use Trent to verify that they exchange key
with the right person
Trent
KAT , KBT
αa mod p
Alice, KAT Bob, KBT

αb mod p
Trent
KAT , KBT
αa mod p
αb mod p
Alice, KAT Bob, KBT
EKAB (sigA (αa , αb ))
EKAB (sigB (αa , αb ))

Trent
KAT , KBT
B?
ve
rA
r
ve
?
αa mod p
αb mod p
Alice, KAT Bob, KBT

Trent
KAT , KBT
B?
ve
ve
rA
r
rB rA
ve
ve
?
αa mod p
αb mod p
Alice, KAT Bob, KBT

both trust Trent)
Trent
KAT , KBT
) 2:
A
B E
K
||K B
T (I
B D
D
(I A|
T |K
KA A
1:E B)
Alice, KAT Bob, KBT

Key distribution center, replay attacks
• But perhaps Eve has broken a previously used key, and intercepts
Alice’s request
Trent
KAT , KBT
) Eve
AB
B
||K
(ID
T
EKA
1:
Alice, KAT Bob, KBT

Key distribution center, replay attacks
• But perhaps Eve has broken a previously used key, and intercepts
Alice’s request
• Then she can fool Bob into communicating with her
Trent
KAT , KBT
B
) Eve 2: old
||K
A EK
B BT (ID
(ID
T A ||
EKA K
1: AB
)
Alice, KAT Bob, KBT
Key distribution center, wide-mouthed frog
• Alice and Trent add time stamps to prohibit the attack
Trent
AB
) KAT , KBT
B|
|K
D
||I
A
AT
(t
K
E
1:
Alice, KAT Bob, KBT

Trent
AB
) KAT , KBT 2:
E
|K
K
B
B|
T (t
D
T ||I
||I
D
A
(t
A|
|K
AT
K
A
E
B)
1:
Alice, KAT Bob, KBT


• But now, Eve can pretend to be Bob and make a request to Trent
Trent
KAT , KBT 2: 3: E
)
AB
E K
BT (t
|K
K
B T ||ID
B|
T (t
D
T A ||
||I K
|| I
D AB
A
)
(t
A|
|K
AT
Eve
K
A
E
B)
1:
Alice, KAT Bob, KBT


• But now, Eve can pretend to be Bob and make a request to Trent,
who will forward the key to Alice
Trent
KAT , KBT 2: 3: E
)
AB
E K
BT (t
|K
K
B T ||ID
B|
) T (t
D
AB T ||I
A ||
K
||I
||K D AB
A
)
(t
B
|ID
A|
0 |
|K
AT
Eve
K
(t T A
E
B)
1:
T
E KA
Alice, KAT4: Bob, KBT
Key distribution center, Needham-Schroeder key agreement
• Another variation is to use nonces to prohibit the replay attack
Trent
|r
B|
1
KAT , KBT
|ID
A|
DI
1:
Alice, KAT Bob, KBT

Trent
|r
B|
1
KAT , KBT
2: EKAT (KS ||IDB ||r1 ||EKBT (KS ||IDA ))

|ID
A|
DI
1:
Alice, KAT Bob, KBT

Trent
|r
B|
1
KAT , KBT

|ID
A|
D
3: EKBT (KS ||IDA )

I
1:
Alice, KAT Bob, KBT

Trent
|r
B|
1
KAT , KBT

|ID
A|
D
3: EKBT (KS ||IDA )

I
1:
4: EKS (r2 )
Alice, KAT Bob, KBT
Trent
KAT , KBT
1
|r
B|

|ID
A|
D
3: EKBT (KS ||IDA )

I
1:
4: EKS (r2 )
Alice, KAT Bob, KBT
5: EKS (r2 − 1)

• If Eve ever breaks one session key, she can get Bob to reuse it
Trent
KAT , KBT
1: EKBT (KS ||IDA )

2: EKS (r2 )
Alice, KAT Eve Bob, KBT
3: EKS (r2 − 1)
Kerberos
Trent Grant
KC , KG KG , KS
• A client, Cliff
Cliff
KC • An authentication server, Trent
• An authorization server, Grant
• A service server, Serge
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
• A client, Cliff
Cliff
KC • An authentication server, Trent
• An authorization server, Grant
• A service server, Serge
Serge • They share keys KC , KG , KS

KS
Kerberos
Trent Grant
KC , KG KG , KS
1 1. Cliff sends Trent IDC ||IDG
Cliff
KC
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
Cliff 2. Trent responds width EKC (KCG )||TGT

KC where TGT = IDG ||EKG (IDC ||t1 ||KGC )
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
2 3

3. Cliff sends Grant EKCG (IDC ||t2 )||TGT
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
2 3
1 4 1. Cliff sends Trent IDC ||IDG

4. Grant responds with EKCG (KCS )||ST
where ST = EKS (IDC ||t3 ||texpir. ||KCS )
Serge
KS
Kerberos
Trent Grant
KC , KG KG , KS
2 3
1 4 1. Cliff sends Trent IDC ||IDG

5 4. Grant responds with EKCG (KCS )||ST
where ST = EKS (IDC ||t3 ||texpir. ||KCS )
Serge 5. Cliff sends Serge EKCS (IDC ||t4 )||ST and
KS can then use Serge’s services
Public key distribution
• Public key distribution uses a Public Key Infrastructure (PKI)
Certification Authority
sT , {ei }
Alice, vT , dA Bob, vT , dB
Public key distribution, using Certification Authorities
• Public key distribution uses a Public Key Infrastructure (PKI)

• Alice sends a request to a Certification Authority (CA) who
responds with a certificate, ensuring that Alice uses the correct
key to communicate with Bob
Certification Authority
sT , {ei }
)
B
,e
B
B
ID
(ID
1:
n T
i g
,s
B
2 :e
Alice, vT , dA Bob, vT , dB
Public key distribution, using X.509 certificates
• The CAs often are commercial companies, that are assumed to be

trustworthy
• Many arrange to have the root certificate packaged with IE,
Mozilla, Opera,. . .
• They issue certificates for a fee
• They often use Registration Authorities (RA) as sub-CA for
efficiency reasons
Public key distribution, X.509 certificates in your browser
Public key distribution, using web of trust
• No central CA
• Users sign each other’s public key
Alice (hashes)
• This creates a “web of trust”
Fred Bob
Eric Charlie
Diana
Public key distribution, using web of trust (PGP and GPG)
• No central CA
• Users sign each other’s public key
Alice (hashes)
• This creates a “web of trust”
Fred Bob
• Each user keeps a keyring with
the keys (s)he has signed
• The secret key is stored on a
Eric Charlie secret keyring, on h{er,is}
computer
Diana
• The public key(s) and their
signatures are uploaded to key
servers
Public key distribution, a web-of-trust path
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
• This is a client-server handshake procedure to establish key

• The server (but not the client) is authenticated (by its certificate)
Client Server
ClientHello: highest TLS protocol version, random number, suggested public key
systems + symmetric key systems + hash functions + compression
algorithms
ClientHello
Client Server
algorithms
ServerHello, Certificate, ServerHelloDone: chosen protocol version, a (different) random
number, system choices, public key
ClientHello
ServerHello,. . .
Client Server
algorithms
ClientKeyExchange: PreMasterSecret, encrypted with the server’s public key
ClientHello
ServerHello,. . .
Client ClientKeyExchange Server

algorithms
(Master secret): creation of master secret using a pseudorandom function, with the
PreMasterSecret as seed
(Session keys): session keys are created using the master secret, different keys for the
two directions of communication
ClientHello
ServerHello,. . .

algorithms
(Master secret): creation of master secret using a pseudorandom function, with the
PreMasterSecret as seed
(Session keys): session keys are created using the master secret, different keys for the
two directions of communication
ChangeCipherSpec, Finished authenticated and encrypted, containing a MAC for the
previous handshake messages
ClientHello
ServerHello,. . .
. . . ,Finished
ClientHello
ServerHello,. . .
. . . ,Finished
• SSL 1.0 (no public release), 2.0 (1995), 3.0 (1996), originally by
Netscape
• TLS 1.0 (1999), changes that improve security, among other things
how random numbers are chosen
• Sensitive to CBC vulnerability discovered 2002,
demonstrated by BEAST attack 2011
• Current problem: TLS 1.0 is fallback if either end does not
support higher versions
ClientHello
ServerHello,. . .
. . . ,Finished
• TLS 1.1 (2006), added protection against CBC attacks by explicit

IV specification
• TLS 1.2 (2008), e.g., change MD5-SHA1 to SHA256
• Never fall back to SSL 2.0 (2011)
• TLS 1.3 is being prepared, many improvements
ClientHello, ClientKey
ServerHello,. . .
Client Server
. . . ,Finished
• TLS 1.3 is being prepared, many improvements

- CBC is gone, beacuse of BEAST
- RSA is removed (!), no forward secrecy
- RC4, SHA1 and so-called “Export” algorithms removed
- More efficient session startup, less TCP packets
Forward secrecy
• Forward secrecy: Even if the key-distribution cipher is broken, only

one session is broken (not the following or earlier sessions)
• RSA as key transport does not give forward secrecy, while RSA as
signing algorithm may give forward secrecy
• STS (DH) gives forward secrecy if new secrets a and b are used
for each session (so-called “Ephemeral DH”, but beware of reusing
the prime p)
• This property does not only depend on the cipher suite used, but
on the details of how it is used
Key length and the use of Elliptic Curves
From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”

Elliptic curves
• An elliptic curve is the set of solutions to the equation
y 2 = x 3 + ax 2 + bx + c
• These solutions are not ellipses, the name elliptic is used for
historical reasons and has do to with the integrals used when
calculating arc length in ellipses:
Z b
dx
√
a x3 + ax 2 + bx + c
Elliptic curves
• An elliptic curve is the set

E = {(x, y ) : y 2 = x 3 + ax 2 + bx + c}
• Examples:
y y
x3 − x x3 − x + 1
x x
E E
Elliptic curves
• Most of the time a “depressed” cubic is enough

E = {(x, y ) : y 2 = x 3 + bx + c}
• Examples:
y y
x3 − x x3 − x + 1
x x
E E
Elliptic curves
• You do not want “singular curves” with multiple roots

E = {(x, y ) : y 2 = x 3 + bx + c}
• Examples:
y y
x3 + x2 − x − 1 x3 − x + 1
x x
E E
Elliptic curves
E = {(x, y ) : y 2 = x 3 + bx + c}
y
• Previously we have used

integers (mod p) and
multiplication
x
E
Elliptic curves
E = {(x, y ) : y 2 = x 3 + bx + c}
y
• Previously we have used the

multiplicative group of
integers mod p
x
• We need a group operation
on points of E , we’ll call it
“addition”
E
Addition on elliptic curves
• Given two elements in the group, construct a third
E
• Draw a straight line through the y

two points, it will intersect the
elliptic curve in a third point.
E

Mirror that in the x-axis
E

Mirror that in the x-axis
• If adding a point to itself, use

the tangent line E
• There is one special case: if the y

line through the two points is
vertical, it will not intersect the
elliptic curve again
• We add the point (∞, ∞) x

to E
• This is the neutral element, the

“0” E
• The point (∞, ∞) to E is the y

neutral element, the “0”
• That is, (∞, ∞) + (x, y ) = (x, y )
• This also means that −(x, y ) is x

(x, −y )
E
Addition law: On the elliptic curve
E = {(x, y ) : y 2 = x 3 + bx + c},
(x3 , y3 ) = (x1 , y1 ) + (x2 , y2 )

is calculated as follows:
• If (x1 , y1 ) = (x2 , −y2 ), then (x3 , y3 ) = (∞, ∞)
• If (x1 , y1 ) = (∞, ∞), then (x3 , y3 ) = (x2 , y2 ) (and the other way
around)
• If (x1 , y1 ) = (x2 , y2 ), then let m = (3x12 + b)/(2y1 ), otherwise let
m = (y2 − y1 )/(x2 − x1 ), and let
(x3 , y3 ) = (m2 − x1 − x2 , m(x1 − x3 ) − y1 )

Multiplication on elliptic curves
• Multiplication with an integer is defined through repeated addition
3(x, y ) = (x, y ) + (x, y ) + (x, y )
E
3(x, y ) = (x, y ) + (x, y ) + (x, y )
E
3(x, y ) = (x, y ) + (x, y ) + (x, y )
E
Discrete elliptic curves
• We want to have a discrete set of points. We arrange this by

having coordinates mod p
E = {(x, y ) : y 2 = x 3 + bx + c mod p}
• This is not so easy to draw in a diagram, remember, it is y 2 mod p
y
x3 − x + 1
E
• Example:
E = {(x, y ) : y 2 = x 3 + 4x + 4 mod 5}
The points in E are
x = 0 gives y 2 = 4 so that y = 2 or y = 3
x = 1 gives y 2 = 9 = 4 so that y = 2 or y = 3
x = 2 gives y 2 = 20 = 0 so that y = 0
x = 3 gives y 2 = 43 = 3, no square root
x = 4 gives y 2 = 84 = 4 so that y = 2 or y = 3
x = ∞ gives y = ∞
• Example:
E = {(x, y ) : y 2 = x 3 + 4x + 4 mod 5}
The points in E are
(∞, ∞)
y
x
Elliptic curves
• Addition as we defined it still works on this set (but “straight lines”

mod p need to be handled)
• We now have the group operations to use instead of integer

multiplication and exponentiation
• Hasse’s Theorem: The number of points N in an Elliptic curve E

mod p obeys
√ √
p−1−2 p <N <p−1+2 p
Elliptic curves



mod p obeys
√ √
p−1−2 p <N <p−1+2 p
E = {(x, y ) : y 2 = x 3 + bx + c},
(x3 , y3 ) = (x1 , y1 ) + (x2 , y2 )

• If (x1 , y1 ) = (x2 , −y2 ), then (x3 , y3 ) = (∞, ∞)
around)
m = (y2 − y1 )/(x2 − x1 ), and let
(x3 , y3 ) = (m2 − x1 − x2 , m(x1 − x3 ) − y1 )

E = {(x, y ) : y 2 = x 3 + bx + c},
(x3 , y3 ) = (x1 , y1 ) + (x2 , y2 )

• If (x1 , y1 ) = (x2 , −y2 ), then (x3 , y3 ) = (∞, ∞)
around)
m = (y2 − y1 )/(x2 − x1 ), and let
(x3 , y3 ) = (m2 − x1 − x2 , m(x1 − x3 ) − y1 )

Elliptic curves



mod p obeys
√ √
p−1−2 p <N <p−1+2 p
Discrete Logarithms on elliptic curves
• Remember the discrete logarithm problem: given x and a primitive

root g , find k so that
x = g k mod p
• There is an analog on elliptic curves: given two points A and B on

an elliptic curve, find k so that
B = kA = A + A + ... + A
• This might seem different, but is the equivalent problem. The only
difference is the group operation name (“multiplication or
“addition”)
• The discrete logarithm for elliptic curves: given two points A and B
on an elliptic curve, find k so that
B = kA = A + A + ... + A
• There is an analog for the Polig-Hellman algorithm.
This works well when the smallest integer n such that
nA = ∞ has only small factors
B = kA = A + A + ... + A
• There is an analog for the Polig-Hellman algorithm
• The baby step-giant step algorithm works, but is impractical since

it needs a lot of memory
B = kA = A + A + ... + A
• There is an analog for the Polig-Hellman algorithm
• The baby step-giant step algorithm is impractical
• But most importantly, there is no analog for the index calculus

- Integer mod p index calculus is based on using small base numbers
(not small exponents as in Polig-Hellman)
- But there are no points on E that are closer to “0” than any other
points, the distance to (∞, ∞) is the same for all other points
Key length
From “ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012)”

Trapdoor one-way functions
• A trapdoor one-way function is a function that is easy to compute

but computationally hard to reverse
• Easy to calculate xA from x
• Hard to invert: to calculate x from xA
• A trapdoor one-way function has one more property, that with

certain knowledge it is easy to invert, to calculate x from xA
• There is no proof that trapdoor one-way functions exist, or even

real evidence that they can be constructed
Standard (m mod p) ElGamal encryption
• Choose a large prime p, and a primitive root α mod p. Also, take a

random integer a and calculate
β = αa mod p
• The public key is the values of p, α, and β, while the secret key is
the value a
• Encryption uses a random integer k with gcd(k, p − 1) = 1, and the

ciphertext is the pair (αk , β k m), both mod p
• Decryption is done with a, by calculating
(αk )−a (β k m) = (α−ak )(αak m) = m mod p

Elliptic curve ElGamal encryption
• Choose an elliptic curve E mod a large prime p, and a point α on

E . Also, take a random integer a and calculate β = aα
• The public key is E and the values of p, α, and β, while the secret
key is the value a
• Encryption uses a random integer k, and the ciphertext is the pair

(kα, kβ + m)
• Decryption is done with a, by calculating
−a(kα) + (kβ + m) = −akα + k(aα) + m = m

Representing plaintext on elliptic curves
• Unfortunately, it is not simple to represent a given plaintext as a

point on E
• Even worse, there is actually no polynomial time algorithm that

can write down all points of an elliptic curve
• There is a method that will work with high probability:

• The message m should be in the x-coordinate, but there is no
guarantee that m3 + bm + c is a square mod p
• Each number x has a probability of about 1/2 that x 3 + bx + c
is a square, so put a few bits at the end of m and run through
all possible values
• If the number of possible values is K , the risk of failure is 2−K
Standard (integer mod p) Diffie-Hellman key exchange
• Use two one-way functions f and g : exponentiation mod p (of a

primitive root α), the symmetry is
(αa )b = (αb )a mod p
• This cannot be used for encryption/signing because one does not

recover a or b.
• But it can be used for key exchange:

parameters p and α
• Alice takes a secret random a and makes αa public
• Bob takes a secret random b and makes αb public
• Both can now create k = (αa )b = (αb )a mod p
Elliptic curve Diffie-Hellman key exchange
• Use two one-way functions f and g : multiplication on an elliptic

curve E (of a point α), the symmetry is
b(aα) = a(bα)
• This cannot be used for encryption/signing because one does not

recover a or b.
• But it can be used for key exchange:

parameters E , p and α
• Alice takes a secret random a and makes aα public
• Bob takes a secret random b and makes bα public
• Both can now create k = b(aα) = a(bα)
Standard (mod p) ElGamal signatures
• Choose a large prime p, and a primitive root α mod p. Also, take a

random integer a and calculate β = αa mod p
• The public key is the values of p, α, and β, while the secret key is
the value a
• Signing uses a random integer k with gcd(k, p − 1) = 1, and the

signature is the pair (r , s) where
r = αk mod p
s = k −1 (m − ar ) mod (p − 1)
• Verification is done comparing β r r s and αm mod p, since
β r r s = αar αk(m−ar )/k = αm mod p

Elliptic curve ElGamal signatures
• Choose an elliptic curve E mod a large prime p, and a point α on

E . Also, take a random integer a and calculate β = aα
• The public key is E and the values of p, α, and β, while the secret
key is the value a
• Signing uses a random integer k with gcd(k, n) = 1 where n is the
number of points on E . The signature is created by inverting k
mod n and forming the pair (r , s) as
r = kα
s = k −1 (m − arx )
• Verification is done comparing rx β + sr and mα, since
rx β + sr = rx (aα) + k −1 (m − arx ) (kα)

= rx (aα) + mα − arx α = mα
Trapdoor one-way functions
A trapdoor one-way function is a function that is easy to compute but
computationally hard to reverse
• Easy to calculate f (x) from x
• Hard to invert: to calculate x from f (x)
A trapdoor one-way function has one more property, that with certain
knowledge it is easy to invert, to calculate x from f (x)
There is no proof that trapdoor one-way functions exist, or even real
evidence that they can be constructed. Examples:
• RSA (factoring)
• Knapsack (NP-complete but insecure with trapdoor)
• Diffie-Hellman + ElGamal (discrete log)
• EC Diffie-Hellman + EC ElGamal (EC discrete log)

Cryptography Lecture 9: Key Distribution and Trust, Elliptic Curve Cryptography

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cryptography Lecture 9: Key Distribution and Trust, Elliptic Curve Cryptography

Uploaded by

Copyright:

Available Formats

Cryptography Lecture 9

Key distribution and trust, Elliptic curve cryptography

• The first key in a new connection or

• Once you have a key, you can use

• If Alice shares a key with Trent and

Alice, KAT Bob, KBT

Alice, KAT Bob, KBT

Alice, KAT Bob, KBT

Alice, KAT Bob, KBT

• What about Diffie-Hellman key exchange?

Alice, KAT Bob, KBT

• What about Diffie-Hellman key exchange?

Alice, KAT Bob, KBT

EKAB (sigB (αa , αb ))

EKAB (sigB (αa , αb ))

EKAB (sigB (αa , αb ))

Alice, KAT Bob, KBT

Alice, KAT Bob, KBT

• Alice and Trent add time stamps to prohibit the attack

Alice, KAT Bob, KBT

• Alice and Trent add time stamps to prohibit the attack

Alice, KAT Bob, KBT

• Alice and Trent add time stamps to prohibit the attack

Alice, KAT Bob, KBT

• Alice and Trent add time stamps to prohibit the attack

• Another variation is to use nonces to prohibit the replay attack

Alice, KAT Bob, KBT

• Another variation is to use nonces to prohibit the replay attack

2: EKAT (KS ||IDB ||r1 ||EKBT (KS ||IDA ))

Alice, KAT Bob, KBT

• Another variation is to use nonces to prohibit the replay attack

2: EKAT (KS ||IDB ||r1 ||EKBT (KS ||IDA ))

3: EKBT (KS ||IDA )

Alice, KAT Bob, KBT

• Another variation is to use nonces to prohibit the replay attack

2: EKAT (KS ||IDB ||r1 ||EKBT (KS ||IDA ))

3: EKBT (KS ||IDA )

• Another variation is to use nonces to prohibit the replay attack

2: EKAT (KS ||IDB ||r1 ||EKBT (KS ||IDA ))

3: EKBT (KS ||IDA )

• Another variation is to use nonces to prohibit the replay attack

1: EKBT (KS ||IDA )

Serge • They share keys KC , KG , KS

1 1. Cliff sends Trent IDC ||IDG

1 1. Cliff sends Trent IDC ||IDG

Cliff 2. Trent responds width EKC (KCG )||TGT

1 1. Cliff sends Trent IDC ||IDG

Cliff 2. Trent responds width EKC (KCG )||TGT

1 4 1. Cliff sends Trent IDC ||IDG

Cliff 2. Trent responds width EKC (KCG )||TGT

1 4 1. Cliff sends Trent IDC ||IDG

Cliff 2. Trent responds width EKC (KCG )||TGT

• Public key distribution uses a Public Key Infrastructure (PKI)

• Public key distribution uses a Public Key Infrastructure (PKI)

• The CAs often are commercial companies, that are assumed to be

• This is a client-server handshake procedure to establish key

Client ClientKeyExchange Server

Client ClientKeyExchange Server

Client ClientKeyExchange Server

Client ClientKeyExchange Server

Client ClientKeyExchange Server

• TLS 1.1 (2006), added protection against CBC attacks by explicit